Securing downloads

I'm curious how others are doing secure downloads. I've tried a couple of different things:

* File transfer by setting the Response object up to directly deliver it.
* Tried to create a dynamic directory, copy the download into there, and then redirect to it

None of these are particularly good. Can anybody please suggest a working method that will allow me to distribute my 10-15M downloads? This is the primary purpose I got on DiscountASP.Net....

-R-

 

Here's a copy of a tutorial I wrote on Antionline a few years ago. I think it basically covers what you're trying to do (mask the source of the download). A lot of the links no loger work (ie the development site... long gone). Hope this helps.


__________________________________


BACKGROUND INFO (So you Know Where This Is Coming From)
----------------------------------------------------------------------------------------
The question posed was simple: Can anyone think of a way to protect a download link so that people cannot see where the download is coming from?

The poster went on to explain why this was needed. He thinks that people are using a direct link to download his company's software (thus bypassing the registration page). FYI, the poster was running IIS 5 and also stated that forcing a username/password was not an option (according to his higher ups).



DESIRED RESULT:
----------------------------------------------------------------------------------------
ASP solution to mask download source to avoid direct downloads



SOME PROPOSED IDEAS:
----------------------------------------------------------------------------------------
IDEA: Use http-referer to determine if user came from the registration form and then redirect them to the download page.
PROBLEM: Download page would still show a link to the file, meaning a direct path to the file could be attained by looking at the html source.

IDEA: Using a redirect straight to the file (not to an html or asp page containing a link to the file). PROBLEM: SittingDuck said it simply "If you think about, how does the browser know where to download the file from? If the browser knows, then so can you." Header information sent to the browser on the redirect WILL reveal the source file's path on the server and can easily be tested using Achilles. In addition, IE will open known file types with appropriate handlers rather than forcing a download. I tried this method with a zip file and got a bunch of encoded text displayed in my browser - not a viable solution if you ask me!

IDEA: 1) Person buys the software, and a dynamically generated link is sent to them. That link has an order number in it that specifies it as that specific download. The link is actually a script that is used to push the program out to the user. 2) When the user clicks on the link, the script parses the url, looks up that order number in the database, and serves up the program(s) that they purchased to them. 3) A cron job comes through nightly and deletes the link (script) that was created after 3 days so it is no longer accessible.
PROBLEM: I don't know what program does this on IIS. Comments/Suggestions welcome! I would assume this would be a corporate program and, if so, we have to factor in cost. Link would still be available until auto-deleted by the system, but that doesn't seem like too much of a risk to me.



SOLUTION I LIKE THE MOST (Can't vouch for others in the thread)
----------------------------------------------------------------------------------------
IDEA: Using the http-referer suggestion from above and, upon validating that the user has come from the registration page, streaming the file to the user rather than attempting to load/save the file through a redirect that is traceable with a proxy client.



SOURCE FILE (gleaned from http://www.planet-source-code.com/x...ts/ShowCode.htm )
----------------------------------------------------------------------------------------
This code will force a download (in IE, at least) of ANY file type, including common types that the browser usually loads... htm/asp/gif/jpg/txt, etc).

I made modifications to this code to add the http-referer check and add additional comments for the tutorial.


<%
' Check the origination of this user
If request.servervariables("http_referer") = "http://www12.brinkster.com/bluebeard96/form.asp" Then

'Insert whatever field validation, etc
If request.form("name") = "" then
Response.write "name is a required field. Please try again."
Else

' Constants for Reading Text File
Const ForAppending = 8
Const ForReading = 1
Const ForWriting = 2
Const TristateFalse = 0
Const TristateMixed = -2
Const TristateTrue = -1
Const TristateUseDefault = -2

' File System Objects
Dim FSO
Dim TS

' Server File (this is the REAL name of the file)
Dim strFile: strFile = Server.MapPath("sourcefile.txt")

' File to Save As (this is the name you want to tell the browser)
' Note: this does NOT have to match the name of the actual file!
Dim strFileSave: strFileSave = "savedfile.txt"

' Tell Browser what the file name is, so it doesn't try to save as "formproc.asp"
' Since the only info sent through the proxy is for the .asp page, we need to tell
' the browser what file name to show when you click "Save To Disk"
Call Response.AddHeader("Content-Disposition","attachment; filename=""" &amp; strFileSave &amp; """")

' Write out content-type that will FORCE user to SAVE FILE.
' Types such as "image/gif" will display in browser
Response.ContentType = "bad/type"

' Initialize File System Object
Set FSO = Server.CreateObject("Scripting.FileSystemObject")

' Open TextStream for Reading
Set TS = FSO.GetFile(strFile).OpenAsTextStream(ForReading,TristateTrue)

' TS.ReadAll DOES NOT WORK. Every Byte must be read and written individually.
' I think you can read them in Chunks, but this was easier. If you know how to
' Read chunks... go ahead, read chunks
' Output MUST be BinaryWrite

Do While Not (TS.AtEndOfStream)
Response.BinaryWrite(TS.Read(1))
Loop

' Cleanup, like all good programmers do.
TS.Close
Set TS = Nothing
Set FSO = Nothing

Response.End
End If
Else
Response.Write "This file can only be accessed through our <a href='form.asp'>registration form</a>"
End If
%>





CONCLUSIONS:
----------------------------------------------------------------------------------------
By loading the download as a stream rather than an individual file, we have successfully bypassed the proxy. The end user has NO knowledge of where the file is located.

By implementing a simple check on the http-referrer, we can verify that users came from the registration form. As far as filling out the form, well? that's up to the webmasters to implement effective form field validation. Granted? with this proposed solution somebody could provide false info in the form, be directed to the file stream, and receive the file. The bottom line, though, is that they don't have a direct link to use or pass on in the future? thus fulfilling the original request.





Mike Reilly, Secretary/Webmaster
Kiwanis Club of Rancho Penasquitos
"Serving the Children of the World"
[email protected]
www.KiwanisPQ.org
(760) 419-7429